Phil Daws | 24 May 11:56 2015
Picon

ModSecurity 2.9.0-refector and NGINX 1.9.0

Hello all:

Have been experimenting with ModSec and NGINX, instead of using Mod and Apache, for hosting my Wordpress
site but having real issues with performance.  Under Apache the site works fine but as soon as I switch to
NGINX then the dashboard becomes completely unusuable and end up with 500 errors and constant timeouts. 
Have even tried to disable NGINX for that area using:

location /wp-admin/ {
        ModSecurityEnabled off;
}

but that makes very little difference at all.  Any thoughts as to why ? This is what I have in modsecurity.conf:

SecRuleEngine On
SecStatusEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature NGINX
SecComponentSignature 200911012341
SecUploadDir /var/cache/modsecurity/suspicious
SecUploadKeepFiles Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Concurrent
SecAuditLog /var/log/nginx/audit_log
SecAuditLogParts ABIFHKZ
SecArgumentSeparator "&"
SecCookieFormat 0
(Continue reading)

Williams, David A. | 22 May 19:06 2015

cleaning cookies

	We're seeing many SQL Inject rules triggered by cookies, often cookies we don't set or need.  For the
cookies we do need, we're tuning the rules to allow those cookies through.  The deeper I look into this the
odder it seems.  We're seeing many cookies presented that we don't need or use and they often have "fishy"
content.  Rather than blocking those users, I'd like to mask that content from our servers.
	Before I go too far down a dead end path: can I use rsub on headers or only body content.  And more importantly,
is there a better way to address this situation?  Any prefab rules to drop selected cookies or their payload
from the request.
	Thanks for any help or pointers you can offer,
	-David

--------------
David Williams
Chief, Website Management Branch
Information Management Services
U.S. Patent & Trademark Office
U.S. Department of Commerce
Madison West, 4D35
Alexandria, VA 22314
1-571-272-3877
david.williams <at> uspto.gov

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
(Continue reading)

Jason Haar | 17 May 22:49 2015
Picon

howto add geoip and rbl results to headers?

Hi there

I want to enable the geoip and rbl lookups on our modsecurity server and
instead of blocking, make their results known to any backend servers via
putting their values into X-WAF-XXXX HTTP headers. I'm afraid I haven't
played with modsecurity for several years and I can't figure out how to
do this? I found google-references for blocking  - but not tagging

Can anyone help me out please? :-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
(Continue reading)

Ehsan Mahdavi | 16 May 07:54 2015
Picon

Problem using mlogc with Nginx

Hi all

Migrating from apache to nginx, I am experiencing some problems. One of them is that I can't use mlogc as a piped command in SecAuditLog directive like this:

SecAuditLog "|/path/to/mlogc     /path/to/mlogc.conf"
The error is like this ModSecurity: Failed to open the audit log pipe: /path/to/mlogc     /path/to/mlogc.conf

I am aware of mlogc-batch-load.pl and I think I must somehow utilize it.
What is the exact way of using mlogc in nginx?

P.S: Am using modsecurity 2.9.0 and nginx/1.6.3.


--
                    regards
                 Ehsan.Mahdavi

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
J son | 15 May 17:58 2015
Picon

Outbound rules not working


Hi all

I am running Ubuntu 14.04 and carried out a vanilla install of modsec through apt-get.  I have activated all the base-rules.  It is in detection only mode and I have chosen Anomaly scoring.

I have made minimal changes to the vanilla install which are:

in /etc/modsecurity/modsecurity.conf
- SecAuditLogType Concurrent
in /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
- SecDefaultAction "phase:2,pass,log"

The website is internal and vulnerable while we test out ModSec.  This setup works well in many counts.  I get modsec alerts in error.log such as SQL Injection and Remote File Access attempt.  These alerts are Inbound alerts followed by a Correlated alert.

However I never get any Outbound alerts (leaked data etc).  Do I have to do something special to enable outbound rules or data processing?

I have checked and "SecResponseBodyAccess On" is set in modsecurity.conf
modsecurity_crs_50_outbound.conf & modsecurity_crs_59_outbound_blocking.conf are activated rules.

I think ModSec is great - thanks to all the contributors.  Regards

Jay
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ehsan Mahdavi | 13 May 14:28 2015
Picon

Which content types are avialable?

Hi all

I need to know the exact and complete list of content types that might be used with tx.allowed_request_content_type in the CRS.

P.S. : SecAction id: 900012

--
                    regards
                 Ehsan.Mahdavi

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Søren Christian Aarup | 11 May 14:46 2015
Picon

Sanitising

Hi all.

The following is returned from my upstreams upon a POST request, and it contains carddata which I want to sanitise from the audit log.

<input type="hidden" name="cardno" value=“XXXXXXXXXXXXXXXX” ….

How would you do that? I have looked at sanitiseMatchedBytes, but that is a regular expression on a variable (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#sanitiseMatchedBytes) – which variable is that?


Med venlig hilsen/Regards

Søren Christian Aarup
DBA/System Administrator

LinkedIn: www.linkedin.com/in/aarup
 

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Piyush Misra | 10 May 01:52 2015
Picon

New to mod security. Experiencing issues with ModSecurity and Nginx Config

Hello Team,

I have installed Modsecurity and Nginx in a box using the following method
1. git clone git://github.com/SpiderLabs/ModSecurity.git
2. cd mod_security
3. ./autogen.sh
4. ./configure --enable-standalone-module --disable-mlogc
5. make
-----------(No Errors)
wget http://www.nginx.org/download/nginx-1.8.0.tar.gz
tar -xvpzf nginx-1.8.0.tar.gz
cd nginx-1.8.0
./configure --add-module=../mod_security/nginx/modsecurity --with-http_ssl_module
make
make install
--------(No Errors)

My Nginx.conf file contents are as below:
server {
listen 80;
server_name xx.yy.com;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
ModSecurityEnabled on;
ModSecurityConfig /usr/local/nginx/conf/modsecurity.conf;
root html;
index index.html index.htm;
proxy_pass http://mysite.mydomain.com:8080;
}
}
When I start my nginx server and opens xx.yy.com in a browser it gives me the following response:
The connection was reset
The connection to the server was reset while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

The error log just says:
2015/05/08 00:32:04 [alert] 27771#0: worker process 27772 exited on signal 11
2015/05/08 00:32:04 [alert] 27771#0: worker process 27773 exited on signal 11
2015/05/08 00:56:11 [alert] 27771#0: worker process 27774 exited on signal 11

Where as if I write ModSecurityEnabled off;
everything works fine.

I have a simple setup for testing this.
In one box I have nginx+modsecurity > haproxy > webserver 1 and webserver 2
webserver 1 and 2 contains apache serving a simple html file which outputs to browser a text being "Server 1" or "Server 2"


Could you please help me out in this? As this is urgent to test this for my project work.

Thanks,

Piyush



------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Morris Taylor | 9 May 09:34 2015

Cannot build mlogc from source

Hi there, 

     Has anyone tried to build mlogc with latest source tarbal (2.9.0)?
     After finished configuring, I entered "make mlogc" and get the
     following message:

"make: *** No rule to make target `mgloc'.  Stop." 

It seems that the make target is not well defined in Makefile,   can
anyone help me to solve the problem? Thanks!

--

-- 
BR, Morris

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Bret.Hillier | 5 May 01:31 2015

Best version of mod_security to use

Hi all

I am using IBM HTTP Server v6.0.2 (apache 2.0.47 based) on Windows Server 2003.

I wish to conceal the Server response header and am unable to do this in the version of IHS that I am running.  The mod_security module is able to do this I understand.

What version of mod_security do you recommend I install?

Many thanks for your time,
Bret

Bret Hillier
Consultant

 +64 9 550 0662    +64 21 422 189  

 Bret.Hillier <at> certussolutions.com

 certussolutions.com



   

This e-mail is from Certus Solutions Limited. The contents are intended only for the named recipient of the e-mail. If the reader of this e-mail is not the intended recipient you are hereby notified that any use, copying, disclosure or distribution of the information contained in the e-mail is strictly prohibited. If you receive this e-mail in error, please reply to us immediately at the above e-mail address and delete the document from your e-mail system.
Viruses: Any loss or damage caused by using this material is not the senders responsibility. Certus Solutions Limited's entire liability will be limited to resupplying the material. No warranty is made that this material is free from computer virus or other defect.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.certussolutions.com
______________________________________________________________________
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Francisco Martinez | 29 Apr 21:51 2015
Picon

response headers being filtered out

Hello,

We are running the 1.8.0 version of Nginx with Modsecurity 2.9.0 nginx_refactoring branch compiled.

2015/04/29 19:51:38 [notice] 6430#0: ModSecurity for nginx (STABLE)/2.9.0 (http://www.modsecurity.org/) configured.
2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: LUA compiled version="Lua 5.1"
2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: LIBXML compiled version="2.7.6"
2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.


In our configuration, we want to set the CORS headers to any request accessing us. For doing that, in nginx we do:
add_header 'Access-Control-Allow-Origin' $cors_origin always;
add_header 'Access-Control-Allow-Credentials' $cors_credentials always;
add_header 'Access-Control-Allow-Methods' $cors_methods always;
add_header 'Access-Control-Allow-Headers' $cors_headers always;
add_header 'Access-Control-Max-Age' $cors_maxage always;

Note that we use the *always* keyword so that we *always* add those headers even when the backend (which is running with a proxy_pass) returns an error. 

Our location in nginx configuration file looks like this:

   location / {
        ModSecurityEnabled      on;
        ModSecurityConfig       modsecurity.d/modsecurity.conf;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        add_header 'Access-Control-Allow-Origin' $cors_origin always;
        add_header 'Access-Control-Allow-Credentials' $cors_credentials always;
        add_header 'Access-Control-Allow-Methods' $cors_methods always;
        add_header 'Access-Control-Allow-Headers' $cors_headers always;
        add_header 'Access-Control-Max-Age' $cors_maxage always;

        if ($user) {
            proxy_pass http://nextver;
            break;
        }
        proxy_pass http://currver;
    }


When doing a curl I don't see the "Access-Control" headers. If I comment "ModSecurityEnabled/Config " lines, I can see them there:

< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS
< Access-Control-Allow-Headers: X-USER-AGENT, X-REQUESTED-WITH, X-USER-VERSION, X-COUNTRY-CODE
< Access-Control-Max-Age: 86400

I can also see the wanted headers if I access to a non-error page.

I've been looking a little into the code and it seems there was a somewhat related bug solved by https://github.com/SpiderLabs/ModSecurity/pull/749/files  . 

My guess is that the somewhat new *always* directive is messing things up, as I see that if make a request to a URL that returns a non-errorr, the headers are there. My (flawed) intuition tells me that maybe the *always* directive is somehow not honored by modsecurity and it will block headers on an error?

Can anyone point me how to delve into this issue further, or look into the possible bug themselves?

Thanks for your help,
/fran
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane